[ipv6hackers] New IETF I-D: "Neighbor Discovery Shield (ND-Shield): Protecting against Neighbor Discovery Attacks"
fgont at si6networks.com
Tue Jun 5 15:33:40 CEST 2012
We have just published a new IETF I-D, entitled "Neighbor Discovery
Shield (ND-Shield): Protecting against Neighbor Discovery Attacks". This
is probably the last missing piece of the "ND mitigation" puzzle (the
others being RA-Guard and DHCPv6-Shield). This one mitigates attack
vectors based on RS, NS, NA, and Redirect messages.
The I-D is available at:
For this version in particular, I'm mostly interested in hearing your
thoughts about the issues raised in the "DISCLAIMER" section -- although
detailed feedback is always welcome.
-------- Original Message --------
Subject: New Version Notification for draft-gont-opsec-ipv6-nd-shield-00.txt
Date: Tue, 05 Jun 2012 06:05:24 -0700
From: internet-drafts at ietf.org
To: fgont at si6networks.com
A new version of I-D, draft-gont-opsec-ipv6-nd-shield-00.txt has been
successfully submitted by Fernando Gont and posted to the IETF repository.
Title: Neighbor Discovery Shield (ND-Shield): Protecting against
Neighbor Discovery Attacks
Creation date: 2012-06-05
WG ID: Individual Submission
Number of pages: 22
This document specifies a mechanism that can be implemented in
layer-2 devices to mitigate attack vectors based on Neighbor
Discovery messages. It is meant to complement other mechanisms
implemented in layer-2 devices such as Router Advertisement Guard
(RA-Guard) and DHCPv6-Shield, with the goal of achieving a
comprehensive IPv6 First Hop Security solution. This document is
motivated by the desire to achieve feature parity with IPv4 with
respect to First Hop Security mechanisms.
The IETF Secretariat
More information about the Ipv6hackers